5.1.0 has introduced NPAPI plugin /usr/lib/libkindleplugin.so (symlinked to /usrl/lib/browser/plugins/libkindleplugin.so) which is used by system-wide WebKit engine.

It is scriptable plugin, so webpage can embed it and invoke it's "exported" native methods.

To embed:

Code:

<embed type="application/kindle-chrome-scriptable-plugin">

I gave enough information for googling about how to invoke methods of this embedded plugin.

So far, I've found following "exported" properties and methods:

property test (it just returns number 500)

method dev.log

method lipc.set

method lipc.get

method todo.scheduleItems

I don't know anything about parameters of these methods and don't know whether they produce sensible result at all. But if they are working, then OH-OH!, it could be dangerous, because it could be used by any website (yes, this plugin is accessible from Web Browser).

I hope someone more proficient in understanding of disassembled ARM C++ code will share more information about plugin's methods usage.

To disable plugin, just change extension of symlink in /usr/lib/browser/plugins (or remove this symlink). I believe, it will be sufficient.

So this scriptable browser plugin is really dangerous. Any (I repeat, any!) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.

On the other hand, it could be used in new method for easy jailbreaking through website.

BTW, @silver18, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?

It should be reported to Amazon immediately, but I didn't do it (and will not do) as I'm curious whether somebody would want to implement that "jailbreak through website". All information is already available in this thread.

I can very well understand that it is tempting to use this for a jailbreak. However, this is a very serious issue, given that there must be millions of units out there, that can now all be turned into botnet drones by just luring their owners on a website...

I can very well understand that it is tempting to use this for a jailbreak. However, this is a very serious issue, given that there must be millions of units out there, that can now all be turned into botnet drones by just luring their owners on a website...

You did notice the wink and grin. Yes, a 3G botnet could be especially costly for amazon (especially if it used the "social network" loop-hole out to the unrestricted internet on touch 3G).

If you execute an arbitrary command from the search bar (using the same "semi-colon" hack), it runs as user "framework", which is worse than nobody. The only place it can write is to its own subdirectory on /tmp/. About the only thing it is good for is viewing the shadow file so you can crack it with "john the ripper". None of the "usual" privilege escalation methods worked, so I was not able to gain root access from the search bar.

If you execute an arbitrary command from the search bar (using the same "semi-colon" hack), it runs as user "framework", which is worse than nobody. The only place it can write is to its own subdirectory on /tmp/. About the only thing it is good for is viewing the shadow file so you can crack it with "john the ripper". None of the "usual" privilege escalation methods worked, so I was not able to gain root access from the search bar.

So, I am surprised that this lipc command runs things as root.

That is what was reported.
But do not take my post as an indication that I confirmed the report.

So this scriptable browser plugin is really dangerous. Any (I repeat, any!) website, which is viewed by user in KT browser, could secretly execute arbitrary shell command with root privileges, so it will have absolute access to KT OS, filesystem and system/user files, running processes, anything.

On the other hand, it could be used in new method for easy jailbreaking through website.

BTW, @silver18, this plugin could be used in WAF apps, I assume. You've needed to execute commands from WAF application, haven't you?

It should be reported to Amazon immediately, but I didn't do it (and will not do) as I'm curious whether somebody would want to implement that "jailbreak through website". All information is already available in this thread.

Thanks a lot!!
I'll start playing around with this as soon as I'll find something to use it for (in the meanwhile, I satisfied my needs with sqlite3 commands).

Anyway, I can't get why Amazon didn't fix this security hole but it locked the pinch-to-zoom feature (I can't get it to work in my "app" as I did before 5.1.0!!)...